from the not-so-secure dept

And the latest report on the Ed Snowden leak documents has come out and it's yet another big one: the NSA and GCHQ have basically gotten backdoors into various key security offerings used online, in part by controlling the standards efforts, and in part by sometimes covertly introducing security vulnerabilities into various products. They haven't "cracked" encryption standards, but rather just found a different way in. The full report is worth reading, but a few key points are worth highlighting.

First, the NSA spends $250 million per year to "covertly" influence tech product designs. The report suggest two ways this is happening. First by infiltrating standards-bodies:

Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

"Eventually, NSA became the sole editor," the document states.

That's disturbing enough, but it gets worse. While the Guardian report suggests that unnamed tech companies are "collaborating" in inserting these kinds of backdoors, that's not entirely clear, because later in the document, they suggest that the NSA is recruiting covert operatives within telco firms to insert vulnerabilities:

To help secure an insider advantage, GCHQ also established a Humint Operations Team (HOT). Humint, short for "human intelligence" refers to information gleaned directly from sources or undercover agents.

This GCHQ team was, according to an internal document, "responsible for identifying, recruiting and running covert agents in the global telecommunications industry."

"This enables GCHQ to tackle some of its most challenging targets," the report said. The efforts made by the NSA and GCHQ against encryption technologies may have negative consequences for all internet users, experts warn."

Did you get that? Rather than recruiting spies from, say, governments, the NSA and GCHQ are recruiting employees at telcos to help them suck up and access all your data.

All of this activity has apparently led to some major breakthroughs, allowing them to access plenty of data they didn't have access to previously. Just last week we'd written about major successes by the NSA having to do with encryption, and this report reveals more details:

"For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies," stated a 2010 GCHQ document. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."

An internal agency memo noted that among British analysts shown a presentation on the NSA's progress: "Those not already briefed were gobsmacked!" The breakthrough, which was not described in detail in the documents, meant the intelligence agencies were able to monitor "large amounts" of data flowing through the world's fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government.

Once again, we're seeing rather extreme behavior on the part of the NSA and GCHQ as they try to basically be able to dig into every possible communication.

This may not be the popular opinion here...

See, this is a good example to use to explain why I am personally torn on some of these matters. And also reveal how some of the more extreme NSA actions have put "good" parts of the program in trouble.

Personally and in theory (because the practice have proven the theory moot), I don't have a problem with the NSA having the capability of digging into any communications. My issue with the NSA has been how they have been exercising that capability-- with no oversight, no accountability, not even auditing. Storing vasts amounts of data, and using even the most tenuous excuse to collect & store more data even when a plain reading of the lie makes it clear that the NSA is spying on those they're prohibited from spying upon.

There are good reasons for the NSA to have this capability, and if properly used could be properly employed to find the bad guys. Instead, we see the NSA abusing this power (which may, I concede, be an inevitable outcome of the program) to simply enlarge the haystack. As a consequence, the NSA ability to dig into any & all communications will be hurt, even as the haystack grows in other ways. Meanwhile, all the needles will have moved elsewhere.

If the NSA wasn't so broadly overreaching elsewhere, I'm not sure that leaking this information *alone* would serve any purpose other than to harm the NSA's ability to perform its mission. However, we know how far beyond its mission the NSA has crept, and this simply provides more evidence that the NSA can crack just about any data on the internet.

The program is brilliant in a way, and if they were just using it to narrowly target foreign or terrorist agents acting against the US, as a citizen I would support the program. In light of the whole mess, it's just more evidence that the NSA wants to vacuum up everything. Laws be damned.

Re: This may not be the popular opinion here...

My issue with the NSA has been how they have been exercising that capability-- with no oversight, no accountability, not even auditing

That is the problem with having this kind of power. It's human nature to abuse it. I am absolutely sure that the NSA never intended to use this ability for anything other than trying to find "the bad guy", but it is amazing how quickly "the bad guy" turns into "the guy that disagrees with us".

What good will the NSA had is gone. There may well have been a good reason at the start for infiltration but that good reason has been stomped in the mud and well trampled over. What remains, now guiding the NSA is rotten to the core along with the present administration supporting it.

Every thing you have been told about what the NSA can not do, about how there are all sorts of safeguards and oversight, and how the NSA works it's data has all, every bit, been a pack of lies. They have violated the intent and the letter of law as well as the Constitution and the Bill of Rights and then claimed every thing was ok. That every thing was safeguarded. Well that might be the view of the NSA prior to the Snowden leaks. It sure isn't my view nor that of others I am hearing from.

The dirty underwear has been partly exposed. There's plenty we don't know of still. None of those things being revealed are on track to be anything resembling what the US is supposed to be about. Human rights have been thrown out the window in favor of examining anyone's life under a microscope. It just keeps getting dirtier as more is exposed. It is far beyond the scope or the mandate of an agency charged with foreign spying. There is no way the entire population of the US are terrorist. There is no way that everyone's phone call is relevant to an investigation. Attempting to dance around the meanings of words by giving them new definitions does not change the actions. Those actions are exactly what they look to be.

Again we just have more ammo that this agency and this government have been infected with a near rapid paranoia of every one and everything. It is time for this to come to a halt.

No one ever guaranteed your personal safety. All that was ever given you was the right to freedom, liberty, and the pursuit of happiness. (along with the right to freedom of personal searches of your papers and correspondence without due process). Due process has turned out to be inconvenient. Legality has turned out to be burdensome. We have reached the point that criminal charges and indictments are in order.

Re: I did say "earth-shaking" revelation in an earlier thread

Well, let's put it this way. A few weeks ago I mentioned how much of your online purchasing and transactions could be tracked by tracking your email. From the sound of this, they don't even need to resort to that, they've broken all the common secure connections people use for backing and online purchasing, and can monitor your activity directly.

I really wish people speaking out against the NSA would make the point that this means that the NSA can monitor you accessing your bank account, as well as monitoring all of your online purchases. That might make it more real for people than the more generalized "the NSA has broken a bunch of common encryption methods."

Re: Re: This may not be the popular opinion here...

Right. Which is why the NSA needs to stick strictly to its mission of being a foreign intelligence agency. The NSA should never spy on domestic communications, and they should never share that information with law enforcement unless it relates to a foreign/ terror threat.

It is unclear if the NSA, as an organization, is capable of sticking to their assigned mission.

They compromised the STANDARDS?!?!

We are so screwed.

The NSA, in their arrogance and hubris, has deliberately enabled every phisher, every spammer, every scammer, every pedophile, every stalker, every thief, every extortionist, every blackmailer, every psycho on the planet who has basic security skills. Because if the standard is compromised, then every piece of software written to that spec is also compromised, and it's simply a matter of who can figure out a way to exploit it.

The consequences of this are enormous. Is HTTPS affected? (probably) Is email affected? (definitely) Are VPN's affected? (probably) How about DNSSEC? (unknown) How about SSH? (unknown) How about BGP security? (probably)

Re: Skype

Puts _NSAKEY to shame

Aye, Mates, this revelation puts the old "_NSAKEY" Microsoft backdoor to shame.

But what other consequences does this sort of backdooring have? The US Government has a notorious weakness for Microsoft products, products of ... arguable quality and fitness for service. Given that the US Gov sets de facto standards that essentially mandate MSFT software, can we trust MSFT software in the slightest?

I'm going to need a while to apprehend the weakness of mind and morality that this revelation lays bare before us, Mates.

Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread

Yeah, but the problem is that you can't really use cash online. And even if you use a credit card, it probably isn't as easy to get the information, or as complete information, as monitoring the transaction real time.

Re: Puts _NSAKEY to shame

To answer your question: no. And that's without NSA tampering. Best practice is to ban all MSFT products from your operation and make it a termination offense to introduce them.

Don't tell me it can't be done. I've been doing it -- quite successfully, by the way -- for a very long time. I save a ton of money, I don't have to deal with licensing issues, my security posture is tremendously improved, I have almost no interoperability issues, and I can laugh and laugh and laugh at all the chumps who are slaves to Redmond.

This is getting ridiculous

From the NYT version of the story:

In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.

So now we can't trust Dell, HP, or Apple to not ship root-kitted machines to their customers?

Re: Puts _NSAKEY to shame

Since all the cool kids are walking around with their iPhones/iPads/and other assorted iShit, I suspect they'd be more focused on breaking Apple's encryption than getting Microsoft to play ball these days.

It should be noted that Microsoft's already been saying they'd explain themselves (probably in their usual "craptastic PR fiasco" fashion) but they can't because the NSA's got them gagged with the whole "you must cooperate with us because national security, and you can't tell anyone about under penalty of, well, whatever the harshest thing we can think of if you try and speak out" thing.

Will it negatively affect Microsoft in the short-run? Depends on how much the average American thinks beyond "holy shit the NSA's breaking the Internet!1!" and what happens after that.

Re: This is getting ridiculous

N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.

You figure they own the master cert keys that you are trusted by your browser (e.g. Verisign, etc.)? I suppose all they need is one.

Re: This may not be the popular opinion here...

This is just wishful thinking - the oversight means revealing, revealing means decrease in efficiency. No oversight brings mess we're in now. And no, I do not trust government having power to access all my communication. It is just big brother.

Look, this is yet again another attempt by Masnicking Mike to distract us from the fact that Google lives in Endor. Google is a Wookie, why would a Wookie live in Endor! It makes no sense. Just like Techdirt makes no sense!
------------------
Techdirt... LOOK AT THE MONKEY!

Another unpopular opinion

I've been asking why we can't just shut down the whole fricking system outright, because it's pretty damned obvious that the NSA will never, ever stop doing this short of being shut down totally, and then the individuals prosecuted for all of it from top to bottom.

Everyone who tries to justify this stuff under any guise is either a fool or part of the problem.

"Give them an inch, and they'll take a mile."

Until the NSA and the government is stopped in their tracks we will continue to wail and moan, bitch and complain about being hacked, spied and trolled by our government.

Re: Re: This may not be the popular opinion here...

NO NO NO.

You have to assume that both the bad guys and good guys have this capability. Wait. Nevermind about the good guys part. They become bad guys by simply having that capability and because of human nature.

Instead, we should be using strong encryption for everyday communications, and digital signatures for authentication. Encryption keys need to be in the endpoint devices with encrypted bits passing through all intermediaries.

The trust model of SSL with central certificate authorities is broken and needs to be fixed.

Re:

Open Source software is a different issue than choice of encryption algorithm.

The book Applied Cryptography discusses this and many other subjects.

I'll try to summarize several important points.

To design a good algorithm requires talent, a background of attacking encryption algorithms, and scrutiny of other people with similar talent and background. (The background of attacking algorithms is probably the single most important prerequisite.) Anyone can design an algorithm they themselves cannot break, but that doesn't mean someone else cannot break it.

In the early days of digital cryptography national governments had the only large enough pool of talented people to design great algorithms. (I'll call them the "secret group".) Eventually the "open group" of everyone else got large enough to design good algorithms.

In order for an algorithm to get good scrutiny the algorithm must be known to everyone. There should not be any secrets -- including even magic numbers used in the algorithm with no explanation of why and how they were chosen. The openness is important only so that enough people can scrutinize the algorithm and see that it withstands analysis over a period of time.

If an algorithm is kept secret, this doesn't mean it isn't secure, it may simply be 'open' to the "secret group" of people who scrutinize and analyze it. If that pool is large enough, then it really is 'open' in some sense and had sustained analysis over a period of time -- just in secret.

If the NSA publishes an algorithm, and it contains no secrets, and has been studied for years by the open community, then it is probably safe to use.

Remember the NSA has a dual mission.
1. To spy on foreign bad guys
2. To protect domestic "good" guys from being spied on

Giving us good encryption algorithms, and giving us source code such as the SELinux patches, falls under number 2. Giving banks good encryption, for example, is in the national interest. Making sure ATMs can securely communicate with the bank is important. But it's always wise to remember the number 1 part of their mission. They may give us encryption that is just 'good enough' so that nobody but themselves (and possibly other major national efforts) can crack or even merely attack it.

Uncle Sam

The problem you (most Americans) do not understand is that Uncle Sam does not care about the information/intelligence about terrorists. If they did, they could have stopped the 9/11 or similar terrorist attacks. Uncle Sam needs such covers/excuses to legitimize its spying actives and its power of authority to dominate the world. This does not mean that the domination has to be by means of physical existence (which they are already) but by means of intelligence (the power of knowledge). Just think about this and of course there is more about it. Look from the government's point of view; it must know what the citizens are doing, what the companies are doing, what the enemies are doing, ad what the allies are doing etc...

Re: Re: Re: Skype

Re: Re: Re: Re: Skype

Substitute "Google" for "Skype". Would you be asking the same question?

Possibly, though I'm more aware of alternatives to most Google services. Perhaps you read too much into my question. I wasn't trying to imply there no alternatives, I was curious if he had any recommendations.